b'   Office of Inspector General\n       Audit Report\n\n\nQUALITY CONTROL REVIEW FOR THE AUDIT\n   OF DOT PROTECTION OF PRIVACY\n            INFORMATION\n         Department of Transportation\n\n         Report Number: QC-2014-053\n          Date Issued: June 05, 2014\n\x0c           U.S. Department of\n                                                               Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Quality Control Review for the Audit of                              Date:    June 5, 2014\n           DOT Protection of Privacy Information\n           Report Number QC-2014-053\n\n  From:    Louis King                                                                Reply to\n                                                                                     Attn. of:   JA-20\n           Assistant Inspector General for Financial and\n             Information Technology Audits\n\n    To:    Chief Information Officer\n\n           The Department of Transportation (DOT) works to protect the privacy of all\n           individuals while delivering efficient, accessible, and convenient transportation\n           systems and services. Through its privacy program, DOT has determined that 167\n           of its 454 computer systems contain personally identifiable information (PII) about\n           the public and/or DOT employees. Eleven of DOT\xe2\x80\x99s 12 operating administrations\n           have at least one system with privacy information.\n\n           In the Fiscal Year 2005 Consolidated Appropriations Act for Transportation,\n           Treasury, Independent Agencies, and General Government, 1 Congress required\n           agencies to enhance the protection of PII that they collect and use. The act also\n           required agencies to create Chief Privacy Officer positions, submit reports on their\n           privacy programs to Congress and their inspectors general, and have independent\n           third-party audits of their privacy programs performed.\n\n           Our objectives were to determine whether DOT (1) has established adequate\n           procedures for the collection, use, and security of PII; (2) ensures compliance with\n           its own privacy and data protection policies and applicable laws and regulations to\n           prevent unauthorized access to or unintended use of PII; and (3) operating\n           administrations properly evaluate the necessity of using PII to process system data.\n\n           We contracted with an independent auditor, CliftonLarsonAllen LLP (CLA), to\n           conduct this work. CLA concluded that the privacy controls tested, taken\n           collectively, were not effective and made ten recommendations to improve DOT\xe2\x80\x99s\n\n           1\n             Pub. L. 108-447, Div. H, Title V, \xc2\xa7 522 (December 8, 2004), as amended by Pub. L. 110-161, Div. D, Title VII,\n           \xc2\xa7 742(b) (December 26, 2007).\n\x0c                                                                                                                   2\n\n\nprivacy program which are included in this report\xe2\x80\x99s exhibit. 2 We agree and are not\nmaking any additional recommendations. As of May 9, 2014, DOT\xe2\x80\x99s Chief\nPrivacy Officer concurred with the recommendations and committed to the\ncompletion of corrective actions (see the appendix to this report). In accordance\nwith DOT Order 8000.1C, the corrective actions taken in response to the findings\nare subject to follow-up.\n\nWe performed a quality control review (QCR) of CLA\xe2\x80\x99s report and related\ndocumentation. Our QCR, as differentiated from an audit engagement performed\nin accordance with generally accepted Government auditing standards, was not\nintended for us to express, and we do not express, an opinion on DOT\xe2\x80\x99s protection\nof privacy information. CLA is responsible for its independent auditor\xe2\x80\x99s report,\ndated March 24, 2014, and the conclusions expressed in that report (see\nattachment). Our QCR disclosed no instances in which CLA did not comply, in all\nmaterial respects, with generally accepted Government auditing standards.\n\nWe appreciate the courtesies and cooperation of the representatives of DOT and its\noperating administration representatives during this engagement. If you have any\nquestions concerning this report, please call me at (202) 366-1407, or Nathan\nCuster, Program Director, at (202) 366-5540.\n\nAttachments\n\n                                                         #\n\ncc: Deputy Secretary\n    DOT Chief Information Officer\xe2\x80\x99s Council Members\n    DOT Audit Liaison\n\n\n\n\n2\n  For security reasons, specific information concerning privacy program weaknesses, vulnerabilities, and deficiencies\nare not discussed in this report but were provided to DOT and operating administrations\xe2\x80\x99 privacy officers.\n\x0c                                                                                     3\n\n\nEXHIBIT. RECOMMENDATION SUMMARY OF CLA LLP,\nINDEPENDENT AUDITOR\n\nCLA made the following recommendations, and OIG agrees, that DOT should\nimplement to enhance its privacy program controls.\n\n                      DOT Chief Information Officer\n       Implements and monitors a process for ensuring compliance with the\n  1    Privacy Act, as amended and all other federal privacy related directives\n       as well as DOT\xe2\x80\x99s established privacy and data protection policies.\n       Implements and monitors a process for ensuring information system\n       security controls are implemented and operating according to federal\n  2    requirements and DOT policy in order to assist with safeguarding the\n       confidentiality of PII.\n       Conducts a review of the organizational structure and resources and\n       requests necessary changes to improve program compliance and\n       strengthen the line of accountability from the Operating Administration\n  3    Privacy programs to the Departmental Privacy officer in order for the\n       Departmental Privacy Officer to effectively administer the\n       implementation and management of the DOT Privacy Policy and\n       Program.\n       Ensures the inventory of systems containing PII and DOT websites is\n       monitored and updated at least annually and implements procedures that\n  4    will trigger a change to the inventory listing when systems are added,\n       deleted, or when changes occur.\n       Updates DOT policy to reinforce Operating Administrations\n       responsibilities to ensure they are able to illustrate the privacy controls\n       required by federal laws and regulations, and DOT policies by providing\n  5    evidence that the controls are in place and functioning effectively and\n       responding to notification of findings to make sure that control\n       weaknesses are addressed.\n                         DOT Chief Privacy Officer\n       Conducts an annual review of DOT Privacy policies and practices to\n  6    ensure policies and procedures reflect current regulations, guidance and\n       policy.\n\n\n\n\nExhibit. Recommendation Summary of CL A LLP, Independent Auditor\n\x0c                                                                                 4\n\n\n       Implements procedures that ensure oversight of PIAs, and communicates\n       the requirements and expectations for such assessments and other\n  7    activities, including but not limited to, improved recordkeeping\n       conducted by the Operating Administration Privacy Officers necessary\n       for program success.\n                 Operating Administration Privacy Officers\n       Ensure PIAs are completed, reviewed and approved by the Departmental\n  8    Privacy Officer prior to the deployment of any system containing PII.\n       Ensure ongoing validation of specific privacy related security controls\n       for their systems are in effect, including those that safeguard\n       confidentiality, provide secure remote access, encryption of back up\n       media, follow up of unauthorized mobile devices, and proper user\n  9    account and password settings in accordance with DOT policy. In\n       addition, implement procedures requiring Operating Administrations to\n       report non-compliance in their systems to the DOT Chief Privacy\n       Officer.\n       Conduct an annual review their web sites ensuring proper and accurate\n  10   posting of their Privacy policies.\n\n\n\n\nExhibit. Recommendation Summary of CL A LLP, Independent Auditor\n\x0cAppendix\nSee the next page for Agency Comments.\n\x0cTO:        Louis King\n           Assistant Inspector General for Financial and\n           Information Technology Audits\n\nFROM:      Richard McKinney                                                         May 9, 2014\n           Chief Information Officer (CI\n\nSUBJECT: ACTION: Response to the Office of Inspector General\n         Draft Report on US Department of Transportation\'s Privacy Program and\n         Implementation - 2013\n\n\n\nThe Department of Transportation (DOT) continues to strengthen the primary mission of the privacy\nprogram, which is to protect and educate all individuals impacted by our work activities, as well as respect\nthe needs of our employees. There are privacy elements to every aspect of the collection, maintenance,\ndisclosure, and destruction of information about individuals; either collected, used, or created by DOT.\nWe acknowledge the continuing challenge to institutionalize a culture of privacy within all of our\nemployees. The Department also recognizes that these challenges, and the safeguarding of its vast\ninformation holdings, are only successful through a shared understanding and practice of all employees.\n\nIn the ongoing efforts to move the program forward, the DOT Chief Privacy Officer (CPO} drafted a\ncomprehensive policy that addresses Privacy at the Department. The draft DOT Privacy Risk\nManagement Policy, received significant contributions from privacy, security, information management\nand legal professionals across the Department. The policy is expected to be submitted for final\nconcurrence and signature in September 2014 and will firmly establish the Department\'s privacy\nframework. Centered on the Fair Information Practice Principles (FIPPs}, the policy will clarify\ncompliance requirements and responsibilities. Once the policy is published, the DOT CPO will issue\nsupplemental guidance and implementation instructions necessary to ensure consistent and verifiable\nexecution of policy requirements, roles, and responsibilities.\n\n\n\nRECOMMENDATIONS AND RESPONSE\nRecommendation 1: Conduct an annual review of DOT Privacy policies and practices to ensure policies\nand procedures reflect current regulations, guidance and policy.\n\nResponse: Concur. The DOT CPO will conduct an annual review of the forthcoming Privacy Risk\nManagement Policy upon its issuance anniversary. The review will address any gaps in coverage or\nimplementation and will be updated accordingly. Expected completion date is September 30, 2015.\n\n\nRecommendation 2: Implement procedures that ensure oversight of PIAs, and communicates the\nrequirements and expectations for such assessments and other activities, including but not limited to,\nimproved recordkeeping conducted by the Operating Administration (OA} Privacy Officers necessary for\nprogram success.\n\x0cResponse: Concur. The DOT CPO will issue supplemental guidance and implementation instructions to\nthe forthcoming DOT Privacy Risk Management Policy that address the requirements and expectations\nfor the timely completion, acceptance and publication of PIAs. The supplemental guidance and\nimplementation instructions will articulate when activities must be completed and the timing of any\nrequired re views, updates, and approvals by the DOT CPO. Expected completion date is December 31,\n2014.\n\n\nRecommendation 3: Ensure PIAs are completed, reviewed and approved by the Departmental Chief\nPrivacy Officer prior to the deployment of any system containing PII.\n\nResponse: Concur. The DOT CPO will issue supplemental guidance and implementation instructions to\nthe forthcoming DOT Privacy Risk Management Policy to include specific requirements for the\ncompletion of privacy risk assessment documentation. The supplemental guidance and implementation\ninstructions will clearly articulate when assessment activities must be completed and the timing of any\nrequired reviews, updates, and approvals by the DOT CPO. OA Privacy Officers remain responsible for\nensuring the execution of privacy risk management activities within their OA. Expected completion date is\nDecember 31, 2014.\n\n\nRecommendation 4: Ensure the inventory of systems containing PII and DOT websites are monitored\nand updated at least annually and implements procedures that will trigger a change to the inventory\nlisting when systems are added, deleted, or when changes occur.\n\nResponse: Concur. The DOT CPO and the Director of Information Technology (IT) Strategy will review\nthe existing processes for updating and maintaining the DOT website inventory. The review will be used to\nidentify means of improving the efficiency and effectiveness of website management and oversight\nactivities. Expected completion date is March 30, 2015.\n\n\nRecommendation 5: Implement and monitor a process for ensuring information system security\ncontrols are implemented and operating according to federal requirements and DOT policy in order to\nassist with safeguarding the confidentiality of PII.\n\nResponse: Concur. The DOT CPO will review the security controls included in NIST 800-53r4 and\nidentify those controls which directly support the forthcoming DOT Privacy Risk Management Policy.\nThe DOT CPO will determine which of these privacy supporting security controls should be implemented\nby systems that collect, use, store, or transmit sensitive PII and work the Chief Information Security\nOfficer (CISO) to develop an approach for their incorporation into the Department\'s existing continuous\nmonitoring program. If necessary, the DOT CPO will issue supplemental guidance and implementation\ninstruction(s) for the forthcoming DOT Privacy Risk Management Policy for continuous monitoring of\nprivacy supporting security controls. Expected completion date is March 30, 2015.\n\n\nRecommendation 6: Ensure ongoing validation of specific privacy related security controls for their\nsystems are in effect, including those that safeguard confidentiality, provide secure remote access,\nencryption of back up media, follow up of unauthorized mobile devices, and proper user account and\npassword settings in accordance with DOT policy. In addition, implement procedures requiring\nOperating Administrations to report non-compliance in their systems to the DOT Chief Privacy Officer.\n\nResponse: Concur. The DOT CPO will issue supplemental implementation instructions to the forthcoming\nDOT Privacy Risk Management Policy requiring OAs to verify the implementation of the controls cited\n(safeguarding confidentiality, provide secure remote access, encryption of back-up media, follow-up of\n\x0cUnauthorized mobile devices, and proper user account and password settings) for all systems containing\nsensitive PII. The implementation instructions will require OAs to report compliance gaps to the CPO and\nCISO, enter Plans of Actions & Milestones (POA&M) into the Cyber Security Assessment and\nManagement (CSAM) system, and keep the CPO and CISO apprised of progress in closing POA&Ms.\nExpected completion date is March 30, 2015.\n\n\nRecommendation 7: Conduct an annual review their web sites ensuring proper and accurate\nposting of their Privacy policies.\n\nResponse: Concur. The forthcoming DOT Privacy Risk Management Policy will clarify requirements for\nOAs implementation and periodic review of their websites. The DOT CPO will conduct an annual review\nof OAs to ensure they have an approved website privacy policy, and address any compliance gaps.\nExpected completion date is September 30, 2014.\n\n\nRecommendation 8: Conduct a review of the organizational structure and resources and requests\nnecessary changes to improve program compliance and strengthen the line of accountability from the\nOperating Administration Privacy programs to the Departmental Privacy officer in order for the DOT\nPrivacy Officer to effectively administer the implementation and management of the DOT Privacy Policy\nand Program.\n\nResponse: Concur. The DOT CIO will conduct a review of the organizational structure and resources\nallocated to the privacy risk management program and recommend necessary changes to ensure that\nthe DOT privacy program is appropriately organized and adequately resourced to meet its obligations.\nThe review will include a comparison of the privacy program structure, roles, responsibilities, and\nresources with those of similar federal agencies. Expected completion date is December 31, 2014.\n\n\nRecommendation 9: Implement and monitor a process for ensuring compliance with the Privacy Act, as\namended and all other federal privacy related directives as well as DOT\'s established privacy and data\nprotection policies.\nResponse: Concur. The forthcoming Risk Management Policy will address DOT and OA responsibilities\nfor compliance with the Privacy Act, other federal statute, guidance, and other DOT policy. The DOT\nCPO will issue supplemental guidance and implementation instructions to the forthcoming policy to\ninclude specific requirements for ensuring appropriate implementation and monitoring of compliance\nwith the Privacy Act and other federal privacy related directives and DOT policy as appropriate. The\nguidance and implementation instructions will clearly articulate when assessment activities must be\ncompleted and the timing of any required reviews, updates, and approvals by the DOT CPO. OA Privacy\nOfficers remain responsible for ensuring the execution of privacy risk management activities within their\nOA. Expected completion date is September 30, 2014.\n\n\nRecommendation 10: Update DOT policy to reinforce Operating Administrations responsibilities to\nensure they are able to illustrate the privacy controls required by federal laws and regulations, and DOT\npolicies by providing evidence that the controls are in place and functioning effectively and responding\nto notification of findings to make sure that control weaknesses are addressed.\n\nResponse: Concur. The forthcoming Privacy Risk Management Policy will address DOT and OA\nresponsibilities for compliance with the Privacy Act, other federal statute, guidance, and other DOT\npolicy. The DOT CPO will issue supplemental guidance and implementation instructions to the\nforthcoming policy to include specific requirements documenting evidence of implementation and on-\n\x0cgoing management of privacy controls. The guidance and implementation instructions will establish\nbaseline controls to be implemented by OAs. The guidance and instructions will clearly articulate when\ncontrols must be implemented and the timing of any required reviews, updates, and approvals by the\nDOT CPO. OA Privacy Officers remain responsible for ensuring the execution of privacy risk\nmanagement activities within their OA. Expected completion date is September 30, 2014.\n\n\n\nThe Office of the DOT CIO appreciates the opportunity to review and respond to the report. If you have\nany questions concerning the response, please contact Claire Barrett at (202) 527.3284, or by email at\nclaire.ba rrett@dot.gov\n\x0cAttachment\nSee the next page for the Independent Auditor\xe2\x80\x99s Report.\n\x0c                                             CliftonLarsonAllen LLP\n                                             www.claconnect.com\n\n\n\n\n    CliftonLarsonAllen LLP\xe2\x80\x99s Independent\nAudit of the Department of Transportation\xe2\x80\x99s\nPrivacy Program and Implementation - 2013\n\n\n                 Prepared for the\n          Assistant Inspector General for\n   Financial and Information Technology Audits\n          Department of Transportation\n            Office of Inspector General\n\n                March 24, 2014\n\x0c                                                             Table of Contents\n\nExecutive Summary......................................................................................................................... 3\nBackground ..................................................................................................................................... 6\n   DOT Privacy Office ....................................................................................................................... 7\n   DOT Privacy Monitoring and Compliance ................................................................................... 8\n   DOT Privacy Awareness and Training ......................................................................................... 8\nResults of Audit ............................................................................................................................... 9\n   Overview ...................................................................................................................................... 9\n   1. DOT Privacy Protection Policies Need to be Enhanced......................................................... 11\n   2. DOT Needs to Improve the Process of Conducting Privacy Impact Assessments (PIAs) ...... 11\n   3. DOT Needs to Improve the Process of Regularly Monitoring and Updating the\n      DOT Website Inventory ........................................................................................................ 13\n   4. DOT Needs to Improve Technology Controls to Assist in Safeguarding the\n      Confidentiality of PII ............................................................................................................. 14\n   5. DOT Needs to Improve the Process of Regularly Reviewing Privacy Policy Content\n      on DOT Websites .................................................................................................................. 17\n   6. DOT Needs to Review the Current Organizational Structure of the Privacy Program\n      to Ensure Effective Management and Accountability of the Privacy Policy\n      and Program ....................................................................................................................... 18\n   7. DOT Needs to Ensure Management Can Demonstrate that Controls are Effectively\n      Implemented for Safeguarding PII. In addition DOT Needs to Ensure Management\n      Responds to Notification of Control Weaknesses .............................................................. 19\nAppendix I \xe2\x80\x93 Objective, Scope, and Methodology........................................................................ 21\nAppendix II \xe2\x80\x93 Summary of Key Criteria Tested ............................................................................. 26\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nExecutive Summary\n\nMarch 24, 2014\n\n\n\nOffice of Inspector General\nDepartment of Transportation\n1200 New Jersey Ave, SE\nWashington, DC 20590\n\nSection 522 of the Consolidated Appropriations Act of 2005, (Division H, Transportation, Treasury,\nIndependent Agencies, and General Government Appropriations Act, 2005) as amended requires that\neach agency designate a Chief Privacy Officer (CPO) and implement comprehensive privacy and data\nprotection procedures governing the agency\xe2\x80\x99s collection, use, sharing, disclosure, transfer, storage, and\nsecurity of information in an identifiable form relating to agency employees and the public. Section 522\nalso requires the Inspector General of each agency to periodically conduct a review of the agency\xe2\x80\x99s\nimplementation of the requirements of Section 522 including the agency\xe2\x80\x99s privacy program. The\nDepartment of Transportation Office of the Inspector General (DOT-OIG) contracted with\nCliftonLarsonAllen (CLA) to conduct a review of the DOT information management practices for\nprotection of Personally Identifiable Information (PII), as they relate to the guidelines set forth in the\nSection 522 of the Consolidated Appropriations Act of 2005. In this section of the Act, the definition of\n"identifiable form" is consistent with Public Law 107-347, the E-Government Act of 2002, and means any\nrepresentation of information that permits the identity of an individual to whom the information applies\nto be reasonably inferred by either direct or indirect means.\n\nThe objective of the audit was to evaluate DOT information management practices for the protection of\nPII in order to:\n\nA. determine the accuracy of the descriptions of the use of information in identifiable form while\n   accounting for current technologies and processing methods;\nB. determine the effectiveness of privacy and data protection procedures by measuring actual\n   practices against established procedural guidelines;\nC. ensure compliance with the stated privacy and data protection policies of DOT and applicable laws\n   and regulations; and\nD. ensure that all technologies used to collect, use, store, and disclose information in identifiable form\n   allow for continuous auditing of compliance with stated privacy policies and practices governing the\n   collection, use, and distribution of information in operation of the program and provide DOT with\n   recommendations, strategies, and specific steps, to improve privacy and data protection\n   management.\n\nCLA\xe2\x80\x99s audit included interviewing key privacy personnel and a review of DOT\xe2\x80\x99s privacy related policies\nand procedures including incident response, the structure and positioning of the Privacy Office\xe2\x80\x99s\nfunction within the agency, the monitoring and compliance efforts of the Privacy Office, DOTs technical\ncontrols to protect privacy information, review of DOT\xe2\x80\x99s website compliance and review of DOT\xe2\x80\x99s\nprivacy related training program. These areas were assessed accordingly within the context of the\nrequirements and recommendations of Section 522 of the Consolidated Appropriations Act of 2005,\nSection 208 of the E-Government Act of 2002, the Privacy Act of 1974, Office of Management and\n\n\n                                                    3\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nBudget (OMB) Memorandum M-00-13, M-03-22, M-05-08, M-06-19, M-07-16, M-10-22 and M-99-18,\nand National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122. Our audit\nwas performed in accordance with Generally Accepted Government Auditing Standards (GAGAS).\n\nDOT has determined that 167 systems of its 454 computer systems contain personally identifiable\ninformation (PII) about the public and DOT employees. Twelve of the thirteen Operating Administrations\n(OAs) contained at least one system with privacy information. DOT\xe2\x80\x99s privacy program had a number of\nstrengths, including but not limited to the following:\n\n    \xe2\x80\xa2   Privacy reporting activities met the requirements of OMB and the E-Government Act of 2002;\n    \xe2\x80\xa2   The Breach Notification Policy is documented and roles and responsibilities are defined;\n    \xe2\x80\xa2   Privacy incidents are tracked and reported in compliance with United States Computer\n        Emergency Readiness Team (US-CERT) timelines; and\n    \xe2\x80\xa2   Individuals with increased privacy responsibilities complete specialized privacy training on an\n        annual basis\n\n    While DOT\xe2\x80\x99s privacy program had a number of strengths, DOT needs to strengthen its\n    implementation of information privacy protections, including full compliance with federal laws,\n    regulations and policies. The audit identified the following opportunities for improving the overall\n    agency-wide privacy program:\n\n    \xe2\x80\xa2   DOT privacy protection policies need to be enhanced;\n    \xe2\x80\xa2   The process of completing Privacy Impact Assessments (PIAs) needs improvement;\n    \xe2\x80\xa2   The process of regularly monitoring and updating the DOT website inventory needs\n        improvement;\n    \xe2\x80\xa2   Technology controls to assist in safeguarding the confidentiality of PII need improvement;\n    \xe2\x80\xa2   The process of regularly reviewing the privacy policy content on DOT websites needs\n        improvement;\n    \xe2\x80\xa2   The current organizational structure needs to be reviewed to ensure effective management and\n        accountability of the privacy program; and\n    \xe2\x80\xa2   Management needs to demonstrate that controls are effectively implemented for safeguarding\n        PII. In addition, management needs to respond to notification of control weaknesses.\n\nFurther, several of the recommendations made in this report relate to privacy practices that have not\nbeen incorporated into the agency\xe2\x80\x99s policies and procedures. Absent formal policies and procedures,\nDOT cannot ensure consistent program implementation. In addition, there may be potential civil and\ncriminal ramifications associated with noncompliance with laws if agency employees do not understand\ntheir responsibilities under the various privacy laws. DOT is vulnerable to an increased risk of a breach of\nsensitive data, which may result in personal harm, loss of public trust, legal liability, or increased costs of\nresponding to a breach. Addressing these control deficiencies in privacy and data protection procedures\nwill strengthen DOT\xe2\x80\x99s privacy program and contribute to ongoing efforts to achieve reasonable\nassurance of adequate protection of PII. This report makes ten recommendations to assist DOT in\nstrengthening its privacy program.\n\nCLA concluded that the privacy controls tested taken collectively were not effective. This performance\naudit did not constitute an audit of financial statements in accordance with GAGAS. CLA was not\nengaged to, and did not render an opinion on the DOT\xe2\x80\x99s internal controls over financial reporting or\n\n\n\n                                                      4\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nfinancial management systems. Furthermore, the projection of any conclusions, based on our findings,\nto future periods is subject to the risk that controls may become inadequate because of changes in\nconditions, or because compliance with controls may deteriorate.\n\nSincerely,\n\n\n\n\nCLIFTONLARSONALLEN LLP\n\n\n\n\n                                                 5\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nBackground\n\nOn October 15, 1966 the Department of Transportation was established by an act of Congress. The\nmission of the Department is to serve the United States by ensuring a fast, safe, efficient, accessible and\nconvenient transportation system that meets our vital national interests and enhances the quality of life\nof the American people, today and into the future. During the audit period the Department consisted of\nthe Office of the Secretary, the Office of the Inspector General and eleven other Operating\nAdministrations (OAs): the Federal Aviation Administration (FAA), the Federal Highway Administration\n(FHWA), the Federal Motor Carrier Safety Administration (FMCSA), the Federal Railroad Administration\n(FRA), the National Highway Traffic Safety Administration (NHTSA), the Federal Transit Administration\n(FTA), the Maritime Administration (MARAD), the Pipeline and Hazardous Materials Safety\nAdministration (PHMSA), the Research and Innovative Technology Administration (RITA), 1 the Saint\nLawrence Seaway Development Corporation (SLSDC), and the Surface Transportation Board (STD). The\nDepartment had a $147.6 million budget for fiscal year 2013 and a staff of more than 57,000.\n\nThe Department of Transportation Office of the Inspector General contracted with CliftonLarsonAllen\n(CLA) to conduct a review of DOT\xe2\x80\x99s information management practices for protection of Personally\nIdentifiable Information (PII), as they relate to the guidelines set forth in Section 522-d of the\nConsolidated Appropriations Act of 2005.\n\nPublic Law No. 108-447, Division H, Section 522 of the Transportation, Treasury, Independent Agencies,\nand General Government Appropriations Act of 2005 (commonly referred to as the Consolidated\nAppropriations Act of 2005) and OMB Memorandum M-05-08 Designation of Senior Agency Officials for\nPrivacy states that each agency shall have a Chief Privacy Officer to assume primary responsibility for\nprivacy and data protection policy. According to Section 522, each agency shall prepare a written report\nof its use of information in an identifiable form, 2 along with its privacy and data protection policies and\nprocedures and record it with the Inspector General of the agency to serve as a benchmark for the\nagency. Examples of information in identifiable form, also referred to as personally identifiable\ninformation include name, address, social security number (SSN) or other identifying number or code,\ntelephone number, email address, etc. Each report shall be signed by the agency privacy officer to verify\nthat the agency intends to comply with the procedures in the report.\n\nIn addition, Section 522 requires the Inspector General of each agency to periodically conduct an\nindependent third party review of the agency\xe2\x80\x99s implementation of the requirements of the section to\ninclude:\n\n     \xe2\x80\xa2     Evaluating the agency\xe2\x80\x99s use of information in identifiable form;\n     \xe2\x80\xa2     Evaluating the privacy and data protection procedures of the agency; and\n     \xe2\x80\xa2     Recommending strategies and specific steps to improve privacy and data protection\n           management.\n\n\n1\n  On January 30, 2014 The Department of Transportation\xe2\x80\x99s Research and Innovation Technology Administration (RITA) was integrated into\nDOT\xe2\x80\x99s Office of the Secretary of Transportation (OST) under the new name of the Office of the Assistant Secretary for Research and Technology.\nThe Research and Technology team now reports directly to the DOT Secretary as part of the Omnibus bill signed by President Obama earlier in\nJanuary 2014 elevating research, innovation and technology within DOT.\n2\n  The definition of \xe2\x80\x9cidentifiable form\xe2\x80\x9d is consistent with the E-Government Act of 2002 (Public Law No. 101-347), and means any representation\nof information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct of indirect\nmeans.\n\n\n\n                                                                       6\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nPer the requirements above, the independent third party review must also include:\n\n    \xe2\x80\xa2   A review of the agency\xe2\x80\x99s technology, practices, and procedures with regard to the collection,\n        use, sharing, disclosure, transfer, and storage of information in identifiable form;\n    \xe2\x80\xa2   A review of the agency\xe2\x80\x99s stated privacy and data protection procedures with regard to the\n        collection, use, sharing, disclosure, transfer, and security of personal information in identifiable\n        form relating to agency employees and the public;\n    \xe2\x80\xa2   A detailed analysis of agency intranet, network, and websites for privacy vulnerabilities,\n        including:\n        o Noncompliance with stated practices, procedures, and policies; and\n        o Risks for inadvertent release of information in an identifiable form from the website of the\n            agency; and\n    \xe2\x80\xa2   A review of agency compliance with Section 522.\n\nThe Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a, as amended, and OMB Memorandum M-06-15 Safeguarding\nPersonally Identifiable Information, requires agencies to collect only such information about an\nindividual as is relevant and necessary to accomplish a purpose of the agency required to be\naccomplished by statute or executive order of the President. Agencies are required to protect this\ninformation from any anticipated threats or hazards to their security or integrity which could result in\nsubstantial harm, embarrassment, inconvenience, or unfairness to any individual on whom the\ninformation is maintained, and must not disclose this information except under certain circumstances.\nThe information collected is considered a record under the Privacy Act if it is an item, collection, or\ngrouping of information about an individual that is maintained by an agency, including, but not limited\nto, his education, financial transactions, medical history, and criminal or employment history and that\ncontains his name or the identifying number, symbol, or other identifying particular assigned to the\nindividual, such as a finger or voice print or a photograph. When an agency has a group of any records\nunder its control from which information is retrieved by the name of the individual or by some\nidentifying number, symbol, or other identifying particular assigned to the individual, the agency has a\nsystem of records. The Privacy Act requires that a public notice, commonly referred to as a System of\nRecords Notice (SORN), be published in the Federal Register that describes the existence and character\nof the system of records.\n\nDOT Privacy Office\n\nDOT collects and uses a significant amount of PII of both employees and the public. The DOT Privacy\nOffice is staffed by four employees. The goal of the DOT Privacy Program is the protection of PII. The\nprogram provides leadership and assistance to DOT\'s OAs on issues related to the Privacy Act of 1974, E-\nGovernment Act of 2002 and related Office of Management and Budget privacy guidance. The Chief\nInformation Officer (CIO) has been designated as the Senior Agency Official for Privacy and is responsible\nfor the DOT Privacy Policy and Program and for providing guidance to DOT supervisors and employees\nconcerning the implementation and application of the Privacy Act, as amended. The Departmental\nPrivacy Officer is the individual appointed by the Chief Information Officer responsible for overseeing\nthe implementation and management of the DOT Privacy Policy and Program. Two staff report to the\nDepartmental Privacy Officer including an employee from OST and an FAA detailee providing assistance\n20% of the time. Additionally, each OA is comprised of a Privacy Officer. The OA Privacy Officer is\nresponsible for coordinating privacy-related activities and providing guidance on privacy issues within\ntheir organizations and implementing privacy policies and procedures within the OA, in coordination\nwith the Departmental Privacy program. The DOT privacy officer maintains an inventory of all\n\n\n                                                     7\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\ninformation technology systems that collect, use, and share public or employee PII. As of the date of this\nreport, there are 167 such systems. Twelve of the thirteen Operating Administrations contained at least\none system with privacy information. The FAA, FMCSA, and OST maintain the largest number of PII\nsystems.\n\nDOT Privacy Monitoring and Compliance\n\nDOT\xe2\x80\x99s policy requires the Departmental Privacy Officer to evaluate the effectiveness of DOT\xe2\x80\x99s\ncompliance with the Privacy Act, as amended, to ensure the Department is in full compliance with the\nlaw and all relevant directives. These duties include overseeing the Privacy Impact Assessment (PIA)\nprocess to ensure all DOT information programs address and resolve privacy issues including\nrenewing/revising PIAs when there are changes, but not less often than every three years. According to\nOMB a PIA is an analysis of how information is handled: (i) to ensure handling conforms to applicable\nlegal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of\ncollecting, maintaining and disseminating information in identifiable form in an electronic information\nsystem, and (iii) to examine and evaluate protections and alternative processes for handling information\nto mitigate potential privacy risks. The system owner completes the PIA in coordination with the OA\nPrivacy Officer and the Departmental Privacy Officer reviews and adjudicates the PIA. In addition, the\nDepartmental Privacy Officer is responsible for reviewing, every two years, system of records notices for\nthe Department for accuracy and ensuring amended notices are published to the Federal Register.\n\nDOT Privacy Awareness and Training\n\nAccording to DOT policy, all DOT employees who come in contact with personal information and the\nsystems that manage that information are required to be aware of legal and Departmental\nrequirements. Training is developed by each OA\xe2\x80\x99s Privacy Officer on a yearly basis. Individuals with\nincreased privacy responsibility complete specialized privacy training each year.\n\nThe DOT specialized training program for the Chief Information Security Officer, the Information System\nSecurity Manager, the information owner, and the staff that supports the responsibilities of these\nindividuals may include the Certified Information Privacy Professional (CIPP) and Certified Information\nPrivacy Professional/ Government (CIPP/G). The Information System Security Officer, the System\nAdministrator, Software Developer/ Programmer, Help Desk Coordinator, Database Administrator and\nNetwork Administrator training may include the Certified Information Privacy Professional/Information\nTechnology (CIPP/IT).\n\n\n\n\n                                                    8\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nResults of Audit\n\nOverview\n\nA comprehensive privacy program helps to ensure that risks related to the collection, storage,\ntransmission and destruction of PII are mitigated. A strong privacy program also provides a framework\nfor the agency to consider the implications of business decisions made as they pertain to PII. A privacy\nprogram should also help maintain public trust and confidence in an organization, protect the\nreputation of an organization, and protect against legal liability for an organization by providing the\nnecessary safeguards to minimize the risk of unintended disclosure of PII.\n\nDOT\xe2\x80\x99s privacy program had a number of strengths, including but not limited to the following:\n\n   \xe2\x80\xa2    Privacy reporting activities met the requirements of OMB and the E-Government Act of 2002;\n   \xe2\x80\xa2    The Breach Notification Policy is documented and roles and responsibilities are defined;\n   \xe2\x80\xa2    Privacy incidents are tracked and reported in compliance with USCERT timelines; and\n   \xe2\x80\xa2    Individuals with increased privacy responsibilities complete specialized privacy training on an\n        annual basis.\n\nWhile DOT\xe2\x80\x99s privacy program had a number of strengths, DOT needs to strengthen its implementation of\ninformation privacy protections, including full compliance with federal laws, regulations and policies.\nThe audit identified the following opportunities for improving the overall agency-wide privacy program:\n\n   \xe2\x80\xa2    DOT privacy protection policies need to be enhanced;\n   \xe2\x80\xa2    The process of completing Privacy Impact Assessments needs improvement;\n   \xe2\x80\xa2    The process of regularly monitoring and updating the DOT website inventory needs\n        improvement;\n    \xe2\x80\xa2   Technology controls to assist in safeguarding the confidentiality of PII need improvement;\n    \xe2\x80\xa2   The process of regularly reviewing the privacy policy content on DOT websites needs\n        improvement;\n    \xe2\x80\xa2   The current organizational structure needs to be reviewed to ensure effective management and\n        accountability of the privacy program; and\n    \xe2\x80\xa2   Management needs to demonstrate that controls are effectively implemented for safeguarding\n        PII. In addition, management needs to respond to notification of control weaknesses.\n\nFurther, several of the recommendations made in this report relate to privacy practices that have not\nbeen incorporated into the agency\xe2\x80\x99s policies and procedures. Absent formal policies and procedures,\nDOT cannot ensure consistent program implementation. Addressing these control deficiencies in privacy\nand data protection procedures will strengthen DOT\xe2\x80\x99s privacy program and contribute to ongoing efforts\nto achieve reasonable assurance of adequate protection of PII. This report makes ten recommendations\nto assist DOT in strengthening its privacy program.\n\nCLA concluded that the privacy controls tested taken collectively were not effective. This performance\naudit did not constitute an audit of financial statements in accordance with GAGAS. CLA was not\nengaged to, and did not render an opinion on the DOT\xe2\x80\x99s internal controls over financial reporting or\nfinancial management systems. Furthermore, the projection of any conclusions, based on our findings,\n\n\n\n\n                                                   9\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nto future periods is subject to the risk that controls may become inadequate because of changes in\nconditions, or because compliance with controls may deteriorate.\n\nAppendix II (page 26) of this report summarizes the results of testing performed of key criteria selected\nfor evaluation associated with DOT\xe2\x80\x99s privacy program and its implementation. Our detailed findings are\ndiscussed on pages 11-20.\n\n\n\n\n                                                   10\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nFinding 1. DOT Privacy Protection Policies Need to be Enhanced\n\nThe Privacy Act of 1974 requires each agency head to establish and maintain procedures to establish\nreasonable administrative, technical, and physical safeguards to assure that records are disclosed only\nto those who are authorized to have access and otherwise to protect against any anticipated threats or\nhazards to their security or integrity which could result in substantial harm, embarrassment,\ninconvenience, or unfairness to any individual on whom information is maintained.\n\nWe noted certain key privacy criteria was not fully addressed in the Departmental Information\nResources Management Manual (DIRMM) such as the reduction of social security numbers; and logging\nof data extracts holding sensitive information and erasing sensitive data within 90 days unless still\nrequired. The Departmental Privacy Officer recognized the need for updating the DOT privacy policy and\nprocedures and drafted an updated policy, DOT Order 1351.XX Privacy Risk Management. The draft\npolicy is in process of being reviewed by the OA privacy officers and CIOs. The final policy will require\ninter-agency concurrence which is planned for the third quarter of 2014. The Draft policy addresses\nmaking reasonable attempts to substitute other identifying information in place of collecting SSNs.\nAlthough the Draft policy discusses certain security requirements it does not specifically address privacy\nrequirements regarding data extracts.\n\nThe purpose of these policies and procedures is to define the agency-wide privacy program and\npractices. Without comprehensive up-to-date privacy policies and procedures, there is an increased\nlikelihood that privacy may not be fully addressed throughout the lifecycle of DOT\xe2\x80\x99s information\nsystems. Moreover, employees and contractors may be performing tasks without clear direction or\ntraining, potentially increasing the risk that PII may become subject to unauthorized access, resulting in\nimproper handling or abuse of information.\n\nWe recommend the DOT Departmental Privacy Officer:\n\nRecommendation #1. Conducts an annual review of DOT Privacy policies and practices to ensure\npolicies and procedures reflect current regulations, guidance and policy.\n\n\nFinding 2. DOT needs to improve the process of conducting Privacy Impact Assessments (PIAs)\n\nThe E-Government Act requires agencies to conduct a PIA for systems that collect, maintain or\ndisseminate information in identifiable form from or about members of the public 3, or when initiating a\nnew electronic collection of information in identifiable form for 10 or more persons. The PIA is to be\nreviewed by the Chief Information Officer, or equivalent official; and if practicable, the privacy impact\nassessment is to be publicly available through the website of the agency, publication in the Federal\nRegister, or other means. Furthermore, OMB Memorandum M-07-16, Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information states that Privacy Impact Assessments\nshould be conducted as part of the continuous monitoring program for assessing management,\noperational and technical controls used to safeguard information systems. Additionally, The Privacy Act\n\n3\n  According to the OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 information in\nidentifiable form is information in an IT system or online collection: (i) that directly identifies an individual (e.g., name, address, social security\nnumber or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific\nindividuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender,\nrace, birth date, geographic indicator, and other descriptors).\n\n\n\n                                                                          11\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nrequires a system of records notice to be published in the Federal Register when an agency establishes a\ngroup of records from which information in identifiable form is retrieved. 4\n\nAccording to DOT policy, the Departmental privacy officer is responsible for overseeing the Privacy\nImpact Assessment process to ensure all DOT information programs address and resolve privacy issues\nand renewing/revising privacy impact assessments when there are changes, but not less often than\nevery three years. Operating Administration Privacy Officers are responsible for coordinating privacy-\nrelated activities and providing guidance on privacy issues within their organizations and implementing\nprivacy policies and procedures within the OA, in coordination with the Departmental Privacy program.\nDOT policy also requires prior to using a record, system owners, with the assistance of their OA Privacy\nOfficer (or the Departmental Privacy Officer for OST offices) must verify that the intended activity is\nlisted as a routine use in the System of Records notice published in the Federal Register (if a Privacy Act\nsystem of records). The general public is to be notified of DOT\xe2\x80\x99s systems of personal information records\nthrough notice in the Federal Register, in compliance with the Privacy Act.\n\nBased on our review of the September 9, 2008 Review of DOT Privacy Policies and Procedures report and\nour audit results, we noted that DOT has not made improvements in completing PIAs for information\nsystems containing PII. In 2008, the privacy review reported that one from a sample of 20 systems did\nnot have a completed PIA. Current audit results show that from a sample of 17 systems tested, 11 did\nnot have a completed PIA showing a decline in DOT\xe2\x80\x99s management of the PIA process over the last five\nyears. We also noted that four from the sample of 17 PIAs were not reviewed and updated within the\nlast three years as required by DOT policy. Furthermore, a SORN was not created and published in the\nFederal Register for one system tested. Without completing a PIA on a system with PII, DOT may face a\npotential loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or\nunauthorized access of PII.\n\nFurthermore, OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information dated May 22, 2007 directed agencies to review their use of social\nsecurity numbers (SSNs) in agency systems and programs to identify instances in which collection or use\nof the social security number is superfluous. Within 120 days from the date of this memo, agencies were\nto establish a plan in which the agency would eliminate the unnecessary collection and use of social\nsecurity numbers within eighteen months. DOT management stated the PIA documentation and biennial\nSystem of Records Notice (SORN) review processes is the established plan for reviewing the use of social\nsecurity numbers in DOT systems and programs and eliminating the unnecessary collection and use of\nSSNs. As a result of the ineffective management of the current PIA process resulting in the lack of\ndocumented and periodic review of PIAs, DOT is at increased risk of not complying with the OMB\ndirective to review the use of SSNs in agency systems and programs and eliminate the unnecessary\ncollection and use of SSNs.\n\nThe OA Privacy Officers did not coordinate the privacy-related activities associated with conducting the\nPIA as required by DOT policy. We also noted a lack of coordination and inconsistent record keeping\nbetween the FAA Privacy Officer and the Departmental Privacy Officer with regard to the status of the\nFAA PIAs. In addition, due to the increased rigor and quality of the review PIAs are subject to by the\nDepartmental Privacy Officer, the time between submission of PIAs for review and publication has\n\n4\n  According to Public Law 93-579, as codified at 5 U.S.C. 552a, The Privacy Act (as amended) a "system of records" means a group of any\nrecords under the control of any agency from which information is retrieved by the name of the individual or by some identifying number,\nsymbol, or other identifying particular assigned to the individual.\n\n\n\n\n                                                                     12\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nincreased for some systems. The Departmental Privacy Officer has noted incomplete or inconsistent\ninformation in the PIAs. Increased attention to detail and quality by the OA Privacy Officers in\ndocumenting the PIAs would reduce the number of comments from the Departmental Privacy Officer\nthat are required to be addressed after initial submission. We noted that a PIA Guidance document has\nbeen drafted and circulated with the Operating Administrations by the Departmental Privacy Officer.\nThe PIA Guidance will be finalized and released after the publication of the DOT Order on Privacy Risk\nManagement.\n\nWe recommend the DOT Departmental Privacy Officer:\n\nRecommendation #2. Implements procedures that ensure oversight of PIAs, and communicates the\nrequirements and expectations for such assessments and other activities, including but not limited to,\nimproved recordkeeping conducted by the Operating Administration Privacy Officers necessary for\nprogram success.\n\nWe recommend the Operating Administration Privacy Officers:\n\nRecommendation #3. Ensure PIAs are completed, reviewed and approved by the Departmental Privacy\nOfficer prior to the deployment of any system containing PII.\n\n\nFinding 3. DOT needs to improve the process of regularly monitoring and updating the DOT website\ninventory\n\nThe E-Government Act and OMB guidance requires agencies to post privacy policies on agency websites\nused by the public. In order to effectively manage privacy policy information on agency websites, an\naccurate inventory of agency websites is necessary. Based on our review of the inventory of DOT\nwebsites provided by the Departmental Privacy Officer, we noted the inventory listing was not accurate\nto account for all current websites. For example, two FHWA websites on the inventory listing were not\nfunctioning. FHWA management confirmed the information was transferred to new websites due to\nreconstruction of the websites. However, the two new websites were not listed in the website inventory\nlist.\n\nNIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems and\nOrganizations (PM-5), Information System Inventory, requires organizations to develop and maintain an\ninventory of its information systems. The DOT Chief Information Officer did not provide the oversight\nrequired to ensure DOT components updated and maintained the inventory of DOT websites.\n\nWithout an accurate inventory listing of DOT websites, DOT may not be aware of all agency websites\nthat collect PII. Consequently, DOT may be exposed to inappropriate or unauthorized access of PII which\nmay result in personal harm, loss of public trust, legal liability or increased costs of responding to a\nbreach of PII.\n\nWe recommend the DOT Chief Information Officer:\n\nRecommendation #4. Ensures the inventory of systems containing PII and DOT websites is monitored\nand updated at least annually and implements procedures that will trigger a change to the inventory\nlisting when systems are added, deleted, or when changes occur.\n\n\n                                                  13\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nFinding 4. DOT needs to improve technology controls to assist in safeguarding the confidentiality of PII\n\nThe Privacy Act of 1974 and the Consolidated Appropriations Act of 2005 require appropriate safeguards\nto ensure the security and confidentiality of records and to protect information in an identifiable form\nand information systems from unauthorized access, use, disclosure, disruption, modification, or\ndestruction. The Consolidated Appropriations Act of 2005 specifies that the Chief Privacy Officer is to\nassume primary responsibility for privacy and data protection policy, including assuring that the use of\ntechnologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure\nof information in an identifiable form and ensuring that the Department protects information in an\nidentifiable form and information systems from unauthorized access, use, disclosure, disruption,\nmodification, or destruction.\n\nNIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)\ndescribes many types of security controls available to safeguard the confidentiality of PII including\nidentification and authentication, allowing remote access only with two-factor authentication and using\na time-out function for remote access and mobile devices requiring user re-authentication after thirty\nminutes of inactivity, and encryption of remote access communications and removable information\nsystem media in transport and in storage.\n\nWe noted the following issues related to security controls for safeguarding the confidentiality of PII:\n\n    \xe2\x80\xa2   DOT needs to strengthen controls for remote access\n    \xe2\x80\xa2   DOT needs to ensure password configurations for all systems are in compliance with DOT policy\n    \xe2\x80\xa2   DOT needs to ensure encryption of all removable media containing PII\n    \xe2\x80\xa2   DOT needs to enhance the monitoring process of unauthorized mobile devices\n\nRemote Access\nOMB Memorandum M-06-16, Protection of Sensitive Agency Information, requires that Federal agencies\nmust implement protection of \xe2\x80\x9cRemote\xe2\x80\x9d Information for the protection of PII. Remote access pertains\nto information accessed remotely or physically transported outside of the agency\xe2\x80\x99s secured, physical\nperimeter (this includes information transported on removable media and on portable/mobile devices\nsuch as laptop computers and/or personal digital assistants). This guidance specifies that agencies\nimplement NIST Special Publication (SP) 800-53 security controls enforcing encrypted remote access\nsessions and encrypted remote storage of personally identifiable information. The specific intent for the\nrequirements is to compensate for the protections offered by the physical security controls when\ninformation is removed from, or accessed from outside of the agency location. Furthermore OMB\nMemorandum M-06-16 requires organizations to allow remote access only with two-factor\nauthentication where one of the factors is provided by a device separate from the computer gaining\naccess; and to use a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access and mobile devices requiring user re-\nauthentication after 30 minutes inactivity.\n\nDOT policy adheres to NIST and OMB requirements by requiring System Owners to enforce multi-factor\nauthentication for all network access to privileged and non-privileged accounts. All remote devices\nwhich require remote access to a DOT network or system must implement a time-out function for\nremote access that requires a user to re-authenticate after no more than 30 minutes of inactivity.\nHowever, we were not able to validate that this control was implemented due to lack of evidence\nprovided.\n\n\n\n                                                    14\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nIn addition, based on review of the FY 2013 Department of Transportation FISMA report issued\nNovember 22, 2013, we noted that DOT has made limited progress in implementing the use of Personal\nIdentification Verification (PIV) cards for user access to systems. During 2012, DOT increased PIV card\nissuance to above 97 percent, but provisioning (unique identifiers that associate a card to its holder)\nremains at only 13 percent. Therefore, the implementation of two-factor authentication for remote\naccess has not been fully implemented.\n\nFinally, we were not able to validate whether remote access to the MARAD system tested was\nencrypted due to lack of evidence provided.\n\nPassword Configuration\n\nNIST SP 800-53, IA-2, Identification and Authentication (Organizational Users), requires information\nsystems to uniquely identify and authenticate organizational users. Authentication of user identities is\naccomplished through the use of passwords, tokens, biometrics, or in the case of multifactor\nauthentication, some combination thereof. Also, IA-5, Authenticator Management requires that user\nauthenticators such as passwords have sufficient strength for their intended use. The information\nsystem should support user authenticator management by organization-defined settings and restrictions\nfor various authenticator characteristics including, for example, minimum password length and\npassword composition.\n\nWe noted the following exceptions related to non compliance with DOT policy for password\nconfiguration:\n\n    \xe2\x80\xa2   From a sample of 10 FAA systems tested, three systems were not in compliance with DOT policy.\n    \xe2\x80\xa2   For the sample of one FMCSA system tested, the system was not in compliance with DOT policy.\n    \xe2\x80\xa2   For the sample of one MARAD system tested, the system was not in compliance with DOT\n        policy.\n    \xe2\x80\xa2   For the sample of one NHTSA system tested, the system was not in compliance with DOT policy.\n    \xe2\x80\xa2   From a sample of two OST systems tested, one system was not in compliance with DOT policy.\n        For the other system we were not able to determine whether the system was in compliance\n        with DOT policy due to lack of evidence provided.\n    \xe2\x80\xa2   For the sample of one RITA system tested, the system was not in compliance with DOT policy.\n\nBased on our review of the September 9, 2008 Review of DOT Privacy Policies and Procedures report and\nour current audit test results, we noted an increase in DOT systems that were not compliant with DOT\npassword configuration policy in the last five years. In the 2008 privacy review, four from a sample of 20\nsystems were not in compliance; current audit results showed that nine from a sample of 17 systems\nwere not in compliance.\n\nEncryption of Backup Media\nNIST SP 800-53, MP-4, Media Storage, requires organizations to protect information system media until\nthe media are destroyed or sanitized using approved equipment, techniques, and procedures. MP-5,\nMedia Transport requires organizations to protect and control media during transport outside of\ncontrolled areas. The supplemental guidance states that physical and technical security measures for the\nprotection of digital and non-digital media are commensurate with the classification or sensitivity of the\n\n\n\n\n                                                   15\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\ninformation residing on the media, and consistent with applicable federal laws, Executive Orders,\ndirectives, policies, regulations, standards, and guidance.\n\nIn addition, DOT policy states the system owner must protect the confidentiality and integrity of backup\ninformation at the storage location. All sensitive data stored on media must be encrypted using FIPS\n140-2 encryption standards. Furthermore, the DOT Rules of Behavior in the Cybersecurity Compendium\nspecifies users are not to store or transport any DOT sensitive information on any portable storage\nmedia or device unless it is encrypted using DOT-approved encryption.\n\nWe were not able to validate whether backup media was encrypted for the MARAD system tested due\nto lack of evidence provided.\n\nMonitoring of Unauthorized Mobile Devices\nNIST SP 800-53, AC-19, Access Control for Mobile Devices, requires organizations to monitor for\nunauthorized connections of mobile devices to organizational information systems. Mobile devices\ninclude portable storage media (e.g., USB memory sticks, external hard disk drives) and portable\ncomputing and communications devices with information storage capability (e.g., notebook/laptop\ncomputers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices).\nSystems which provide network access to portable and mobile devices must implement a means to\ndetect unauthorized devices and block their access to DOT networks and systems.\n\nDOT policy requires monitoring for unauthorized connections of mobile devices to DOT information\nsystems. Systems which provide network access to portable and mobile devices must implement a\nmeans to detect unauthorized devices and block their access to DOT networks and systems. We noted\nthat the DOT Cyber Security Management Center (CSMC) employs Tivoli Endpoint Manager BigFix to\nscan the network for unauthorized devices; however, follow-up action of unauthorized devices was not\nprovided.\n\nAccording to the Cybersecurity Compendium, the Chief Information Officer (CIO) is responsible for\ndeveloping and maintaining information security policies, procedures, and control techniques to address\nall applicable requirements. Operating Administration CIOs typically oversee personnel with significant\nresponsibilities for information security and ensure that personnel are adequately trained. The DOT CIO\ndid not ensure adequate oversight of OA cybersecurity programs to ensure technology controls are\nimplemented and operating according to federal requirements and DOT policy in order to assist with\nsafeguarding the confidentiality of PII. Additionally, the OA Privacy Officers did not ensure specific\nprivacy related security controls for their systems were in effect to ensure systems were compliant with\nDOT password configuration requirements, backup media was encrypted, remote access controls were\nfully implemented including two-factor authentication and a time-out function for remote access, and\nmonitoring of unauthorized mobile devices to include follow-up action for unauthorized devices.\n\nA lack of adequate security controls may increase the risk of DOT\xe2\x80\x99s security as well as information\nintegrity becoming compromised. DOT\xe2\x80\x99s sensitive materials, assets and PII may become subject to\nunauthorized access, modification, or removal.\n\n\n\n\n                                                    16\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nWe recommend the DOT Chief Information Officer:\n\nRecommendation #5. Implements and monitors a process for ensuring information system security\ncontrols are implemented and operating according to federal requirements and DOT policy in order to\nassist with safeguarding the confidentiality of PII.\n\nWe recommend the Operating Administration Privacy Officers:\n\nRecommendation #6. Ensure ongoing validation of specific privacy related security controls for their\nsystems are in effect, including those that safeguard confidentiality, provide secure remote access,\nencryption of back up media, follow up of unauthorized mobile devices, and proper user account and\npassword settings in accordance with DOT policy. In addition, implement procedures requiring\nOperating Administrations to report non-compliance in their systems to the DOT Chief Privacy Officer.\n\n\nFinding 5. DOT needs to improve the process of regularly reviewing privacy policy content on DOT\nwebsites\n\nThe E-Government Act and OMB guidance requires agencies to post privacy policies on agency websites\nused by the public on major entry points to agency\xe2\x80\x99s websites as well as at any web page where\nsubstantial personal information from the public is collected. In addition, according to OMB\nMemorandum M-00-13, Privacy Policies and Data Collection on Federal Web Sites, agencies must take\ncare to ensure full adherence with stated privacy policies. The DIRMM states that individuals who\nprovide their personal information to DOT are to be given adequate and accurate notice of the\ninformation program\xe2\x80\x99s data handling practices. Prior to commencing a new or modified information\ncollection effort, all DOT elements are to include a privacy policy, or a link to a privacy policy, on the\nhomepage and all pages that collect personal information, which is clearly labeled, easy to access, and\nwritten in plain language.\n\nWe noted that for one of 14 sampled FHWA websites, the privacy policy was not easily accessible from\nthe home page. Upon notification of this issue to FHWA management, the Privacy Policy was made\neasily accessible from the home page. Additionally, 10 of 14 sampled FHWA websites contained\ninformation that was not in adherence with the stated privacy policy. The websites displayed a\nstatement, \xe2\x80\x9cWe do not use cookies 5 on this Web site,\xe2\x80\x9d within the posted privacy policy. However, the\nwebsites did indeed use cookies. FHWA management indicated that the cookies were related to the DOT\nGoogle Analytics and the ForeSee Customer Satisfaction Survey and the information posted within\nPrivacy Policy would be updated accordingly.\n\nThe FHWA Privacy Officer did not conduct a periodic review of the privacy policy posted on the FHWA\nwebsites to ensure it was accurate and accessible from major entry points. Without reviewing and\naccurately posting the Privacy Policy on a public website, DOT is at an increased risk that incorrect\ninformation is available to the public. The lack of transparency of the Privacy Policy can tarnish the DOT\ncredibility along with potential legal ramifications.\n\n\n5\n  According to NIST SP 800-63-1, Electronic Authentication Guideline cookies are text files used by a browser to store information provided by a\nparticular web site. The contents of the cookie are sent back to the web site each time the browser requests a page from the same web site.\nThe web site uses the contents of the cookie to identify the user and prepare customized Web pages for that user, or to authorize the user for\ncertain transactions.\n\n\n\n                                                                      17\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nWe recommend the Operating Administration Privacy Officers:\n\nRecommendation #7. Conduct an annual review their web sites ensuring proper and accurate posting of\ntheir Privacy policies.\n\n\nFinding 6. DOT needs to review the current organizational structure of the privacy program to ensure\neffective management and accountability of the privacy policy and program\n\nAccording to OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy, each\nexecutive Department and agency (\xe2\x80\x9cagency\xe2\x80\x9d) is to identify to OMB the senior official who has the overall\nagency-wide responsibility for information privacy issues. Consistent with the Paperwork Reduction Act,\nthe agency\xe2\x80\x99s Chief Information Officer (CIO) may perform this role. Alternatively, if the CIO, for some\nreason, is not designated, the agency may have designated another senior official (at the Assistant\nSecretary or equivalent level) with agency-wide responsibility for information privacy issues. In any case,\nthe senior agency official should have authority within the agency to consider information privacy policy\nissues at a national and agency-wide level.\n\nAccording to the DIRMM the Chief Privacy Officer, as defined by OMB Memorandum M-05-08, is the\nsenior official who has been identified to OMB as having overall responsibility for information privacy\nissues. DOT has designated the CIO for this role, responsible for the DOT Privacy Policy and Program and\nfor providing guidance to DOT supervisors and employees concerning the implementation and\napplication of the Privacy Act, as amended. The Departmental Privacy Officer is the individual, appointed\nby the CIO, who is responsible for overseeing the implementation and management of the DOT Privacy\nPolicy and Program. The Departmental Privacy Officer is responsible for reviewing, approving and\ncommunicating DOT privacy policies, overseeing the Privacy Impact Assessment process to ensure all\nDOT information programs address and resolve privacy issues, renewing/revising Privacy Impact\nAssessments when there are changes, but not less often than every three years, reviewing, every two\nyears, system of records notices for the Department for accuracy and ensuring amended notices are\npublished to the Federal Register, providing guidance to OA Privacy Officers on their responsibilities and\nevaluating the effectiveness of DOT\xe2\x80\x99s compliance with the Privacy Act, as amended, to ensure the\nDepartment is in full compliance with the law and all relevant directives.\n\nAlthough the DIRMM specifies that the Departmental Privacy Officer is responsible for overseeing the\nprivacy program, including the PIA process; the current organizational structure only allows the\nDepartmental Privacy Officer to function in an advisory role as there is not a formal line of accountability\nfrom the OA Privacy Officers to the Departmental Privacy Officer. The OA Privacy Officers report directly\nto the OA CIO. The Departmental Privacy Officer tracks PIA status, and reviews and adjudicates PIAs that\nare submitted; however within the current reporting structure, the Departmental Privacy Officer lacks\nthe authority to be effective in overseeing the PIA process. The lack of accountability in the\norganizational structure of the DOT privacy program inhibits effectively administering the\nimplementation and management of the DOT Privacy Policy and Program.\n\nWe recommend the DOT Chief Information Officer:\n\nRecommendation #8. Conducts a review of the organizational structure and resources and requests\nnecessary changes to improve program compliance and strengthen the line of accountability from the\nOperating Administration Privacy programs to the Departmental Privacy officer in order for the\n\n\n                                                    18\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nDepartmental Privacy Officer to effectively administer the implementation and management of the DOT\nPrivacy Policy and Program.\n\n\nFinding 7. DOT needs to ensure management can demonstrate that controls are effectively\nimplemented for safeguarding PII. In addition DOT needs to ensure management responds to\nnotification of control weaknesses.\n\nWe noted several instances in which Operating Administration management could not demonstrate that\ncontrols were acting effectively due to lack of evidence provided. From the seven OAs selected for the\naudit, three of the OAs did not provide all of the documentation requested including MARAD, OST and\nRITA. In addition, the same OAs did not respond to our notification of findings. The lack of accountability\nby management affects the Departmental Privacy Officer\xe2\x80\x99s ability to successfully monitor the\neffectiveness of DOT\xe2\x80\x99s compliance with the Privacy Act, as amended, to ensure the Department is in full\ncompliance with the law and all relevant directives, as the DIRMM specifies. Moreover, without\nmanagement\xe2\x80\x99s response to notification of findings, the risk is increased that remediation of control\nweaknesses and improvements to the privacy program may be hindered.\n\nSEC. 522. Of the Consolidated Appropriations Act, 2005 requires that the Department protects\ninformation in an identifiable form and information systems from unauthorized access, use, disclosure,\ndisruption, modification or destruction. Moreover, FISMA requires that senior agency officials provide\ninformation security for the information and information systems that support the operations and\nassets under their control and periodically test and evaluate security controls and techniques to ensure\nthat they are effectively implemented.\n\nFurthermore, according to OMB Memorandum M-05-08, Designation of Senior Agency Officials for\nPrivacy, agencies are required to maintain appropriate documentation regarding their compliance with\ninformation privacy laws, regulations, and policies. And, agencies have the authority to conduct periodic\nreviews (e.g., as part of their annual FISMA reviews) to promptly identify deficiencies, weaknesses, or\nrisks. When compliance issues are identified, agencies are obligated to take appropriate steps to remedy\nthem.\n\nThe DOT CIO (designated DOT Chief Privacy Officer) did not provide the necessary level of oversight and\nguidance to personnel responsible for the implementation of the DOT privacy program including the\noperating effectiveness of information security controls, to ensure the program was compliant with\nfederal laws and regulations.\n\nWithout a robust privacy program, adequate controls may not be implemented increasing the threat of\na breach of PII. This can lead to personal harm, loss of public trust, legal liability, or increased costs of\nresponding to a breach of PII.\n\nWe recommend the DOT Chief Information Officer:\n\nRecommendation #9. Implements and monitors a process for ensuring compliance with the Privacy Act,\nas amended and all other federal privacy related directives as well as DOT\xe2\x80\x99s established privacy and data\nprotection policies.\n\n\n\n\n                                                     19\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nRecommendation #10. Updates DOT policy to reinforce Operating Administrations responsibilities to\nensure they are able to illustrate the privacy controls required by federal laws and regulations, and DOT\npolicies by providing evidence that the controls are in place and functioning effectively and responding\nto notification of findings to make sure that control weaknesses are addressed.\n\nResponses\nThe DOT Chief Information Officer\xe2\x80\x99s response to this report will be delivered directly to the DOT\nAssistant Inspector General for Financial and Information Technology Audits.\n\n\n\n\n                                                   20\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nAppendix I \xe2\x80\x93 Objective, Scope, and Methodology\n\nObjective\n\nThe objective of the audit was to evaluate DOT information management practices for the protection of\nPII in order to:\n\nA. determine the accuracy of the descriptions of the use of information in identifiable form while\n   accounting for current technologies and processing methods;\nB. determine the effectiveness of privacy and data protection procedures by measuring actual\n   practices against established procedural guidelines;\nC. ensure compliance with the stated privacy and data protection policies of DOT and applicable laws\n   and regulations; and\nD. ensure that all technologies used to collect, use, store, and disclose information in identifiable form\n   allow for continuous auditing of compliance with stated privacy policies and practices governing the\n   collection, use, and distribution of information in operation of the program and provide DOT with\n   recommendations, strategies, and specific steps, to improve privacy and data protection\n   management.\n\nScope\n\nWe conducted this audit in accordance with generally accepted Government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We believe\nthat the evidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objective. In assessing DOT\xe2\x80\x99s compliance with the requirements of Section 522, CLA evaluated the\nfollowing areas:\n\n    \xe2\x80\xa2   DOT\xe2\x80\x99s Privacy Policies and Procedures;\n    \xe2\x80\xa2   DOT\xe2\x80\x99s Privacy Office;\n    \xe2\x80\xa2   DOT\xe2\x80\x99s Privacy Monitoring and Compliance (included evaluation of PIAs and SORNs);\n    \xe2\x80\xa2   Privacy vulnerability analysis of DOT\xe2\x80\x99s network and website; and\n    \xe2\x80\xa2   Privacy Awareness and Training.\n\nCLA performed a review of the following documentation provided by the DOT:\n\n    \xe2\x80\xa2   DOT DIRMM, Chapter 8 Privacy Protections\n    \xe2\x80\xa2   DOT Order 1351.20, U.S. Department of Transportation Rules of Conduct and Consequences\n        Policy Relative to Safeguarding Personally Identifiable Information\n    \xe2\x80\xa2   DOT Order 1351.38, DOT Privacy Policy for the Information Sharing Environment\n    \xe2\x80\xa2   DOT Order 1351.37, Departmental Cybersecurity Policy\n    \xe2\x80\xa2   U.S. Department of Transportation Departmental Cybersecurity Compendium\n    \xe2\x80\xa2   DOT Order 1351.19, Personally Identifiable Information (PII) Breach Notification Controls\n    \xe2\x80\xa2   U.S. Department of Transportation Biennial System of Records Notice (SORN) Review Process\n        and Guidance\n    \xe2\x80\xa2   Draft Departmental Privacy Risk Management Policy\n    \xe2\x80\xa2   Draft Privacy Impact Assessment (PIA) Development Guide\n\n\n\n                                                   21\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\n   \xe2\x80\xa2   Draft Privacy NIST 800-53 Appendix J DOT Approach\n   \xe2\x80\xa2   Privacy Office Organizational Chart\n   \xe2\x80\xa2   Senior Agency Privacy Official Designation\n   \xe2\x80\xa2   Senior Agency Official for Privacy (SAOP) Annual FISMA Report\n   \xe2\x80\xa2   Inventory of IT Systems with Personally Identifiable Information\n\nMethodology\n\n1. Review of DOT\xe2\x80\x99s Privacy Policies and Procedures\n\nCLA performed a thorough review of DOT\xe2\x80\x99s policy documentation to assess adherence to Section 522.\nCLA also reviewed the Senior Agency Official for Privacy (SAOP) Annual FISMA Report. In assessing the\nprivacy policies and procedures, CLA determined compliance with federal guidelines related to privacy\nand protection of personal identifiable information.\n\n2. Review of DOT\xe2\x80\x99s Privacy Office\n\nCLA performed a review of DOT\xe2\x80\x99s Privacy Office to determine whether the office effectively and\nefficiently administered DOT\xe2\x80\x99s privacy program. In assessing the Privacy Office, CLA reviewed the\nagency\xe2\x80\x99s organization charts/structure and interviewed key privacy officials to determine whether the\nagency has identified roles and responsibilities for key privacy officials. CLA also interviewed the\nDepartmental Privacy Officer to determine if she was performing all responsibilities and had sufficient\nresources to perform her duties. In addition, CLA determined whether the Privacy Office established\nprocesses for ensuring agency compliance with Federal and agency privacy policies. CLA also determined\nwhether the Privacy Office implemented procedures in identifying and securing information systems\ncontaining PII.\n\n3. Review of DOT\xe2\x80\x99s Privacy Monitoring and Compliance\n\nCLA performed procedures to determine whether the Privacy Office effectively and efficiently\nadministers DOT\xe2\x80\x99s privacy program. To accomplish this objective, CLA:\n\n   \xe2\x80\xa2   Determined whether DOT identified and maintained a complete inventory of information\n       systems containing PII and systems requiring PIAs and has conducted PIAs for the information\n       systems.\n   \xe2\x80\xa2   For a sample of seventeen information systems, CLA reviewed the PIAs and determined whether\n       these PIAs have, at a minimum, analyzed and described:\n           o What information needs to be collected (e.g., nature and source);\n           o Why the information is being collected (e.g., to determine eligibility);\n           o Intended use of the information (e.g., to verify data);\n           o With whom the information will be shared (e.g., another agency for a specified\n               programmatic purpose);\n           o Opportunities individuals have to decline to provide information (e.g., where providing\n               information is voluntary) or to consent to particular uses of the information (other than\n               required or authorized uses), and how individuals can grant consent; and\n           o How the information will be secured (e.g., administrative and technological controls).\n\n\n\n\n                                                  22\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\n    \xe2\x80\xa2   CLA performed procedures to determine whether a SORN was published in the Federal Register.\n    \xe2\x80\xa2   Furthermore, consistent with guidance issued by OMB in 2007 related to privacy protection\n        (OMB Memorandum M-07-16), CLA reviewed procedures implemented by DOT to ensure:\n            o Privacy was adequately protected and DOT management has implemented breach\n               notification policies;\n            o Procedures were in place to reduce the use of SSNs;\n            o Policies existed to notify external agencies about privacy breaches; and\n            o DOT has implemented policies for consequences and accountability for privacy violation.\n\n4. Privacy Vulnerability Analysis\n\nCLA performed a review and analysis of DOT\xe2\x80\x99s network and its external websites for privacy\nvulnerabilities in accordance with Section 522. These privacy vulnerabilities include noncompliance with\nstated practices, policies and procedures as well as risks of inadvertent release of information in an\nidentifiable form from the website of the agency. CLA reviewed the privacy incidents to determine\nwhether any vulnerabilities were identified on the DOT network related to the risk of inadvertent\nrelease of information in an identifiable form from the agency\xe2\x80\x99s network.\n\nIn addition, CLA gained an understanding of the DOT\xe2\x80\x99s documented standards regarding its system\xe2\x80\x99s\nhandling and tracking of PII. Once the CLA team had an understanding of the agency\xe2\x80\x99s policies as well as\nits approach to privacy compliance, the team worked with the appropriate DOT personnel to test and\ndocument the application of selected privacy related technical controls from OMB Memorandum M-06-\n16, Protection of Sensitive Agency Information, NIST Special Publication (SP) 800-122, Guide to\nProtecting the Confidentiality of Personally Identifiable Information (PII), and related NIST SP 800-53,\nRecommended Security Controls for Federal Information Systems and Organizations including the\nfollowing:\n\n    \xe2\x80\xa2   Encryption. Encrypt, using only National Institute of Standards and Technology (NIST) certified\n        cryptographic modules, all data on mobile computers/devices carrying agency data unless the\n        data is determined not to be sensitive, in writing, by your Deputy Secretary or a senior-level\n        individual he/she may designate in writing;\n    \xe2\x80\xa2   Control Remote Access. Allow remote access only with two-factor authentication where one of\n        the factors is provided by a device separate from the computer gaining access;\n    \xe2\x80\xa2   Time-Out Function. Use a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access and mobile devices requiring\n        user re-authentication after thirty minutes of inactivity;\n    \xe2\x80\xa2   Log and Verify. Log all computer-readable data extracts from databases holding sensitive\n        information and verify each extract, including whether sensitive data has been erased within 90\n        days or its use is still required; and\n    \xe2\x80\xa2   Ensure Understanding of Responsibilities. Ensure all individuals with authorized access to\n        personally identifiable information and their supervisors sign at least annually a document\n        clearly describing their responsibilities.\n\nNIST SP 800-53 technical controls tested included:\n\n    \xe2\x80\xa2   Access Control\n           o Least Privilege \xe2\x80\x93 AC-6\n           o Remote Access \xe2\x80\x93 AC-17\n\n\n\n                                                     23\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\n           o Wireless Access \xe2\x80\x93 AC-18\n           o Access Control for Mobile Devices \xe2\x80\x93 AC-19\n   \xe2\x80\xa2   Configuration Management\n           o Configuration Settings \xe2\x80\x93 CM-6\n   \xe2\x80\xa2   Security Assessment and Authorization\n           o Information System Connections \xe2\x80\x93 CA-3\n   \xe2\x80\xa2   Identification and Authentication\n           o Identification and Authentication (Organizational Users) \xe2\x80\x93 IA-2\n   \xe2\x80\xa2   Incident Response\n           o Incident Handling \xe2\x80\x93 IR-4\n           o Incident Monitoring \xe2\x80\x93 IR-5\n           o Incident Reporting \xe2\x80\x93 IR-6\n   \xe2\x80\xa2   Media Protection\n           o Media Storage \xe2\x80\x93 MP-4\n           o Media Transport \xe2\x80\x93 MP-5\n   \xe2\x80\xa2   Planning\n           o Privacy Impact Assessment \xe2\x80\x93 PL-5\n   \xe2\x80\xa2   System and Communications Protection\n           o Boundary Protection \xe2\x80\x93 SC-7\n           o Transmission Confidentiality \xe2\x80\x93 SC-9\n\nCLA performed procedures to determine if the Agency has implemented encryption on data transmitted\nover the agency\xe2\x80\x99s communication infrastructure with emphasis on encryption of systems containing\nprivacy data. Our testing enabled us to determine if the information transmitting across the network\nboundaries is secure and identify any control weaknesses with respect to PII.\n\nIn order to conduct the website testing discussed above, CLA performed procedures for a sample of\nthirty-four websites to determine the following:\n\n   \xe2\x80\xa2   Whether the website was using Secure Socket Layer (SSL) to capture and transfer Privacy Act\n       protected user data.\n   \xe2\x80\xa2   Whether the appropriate privacy policy and disclosures were posted and available for all visitors\n       and users of the website. In addition, CLA assessed the web privacy policies to determine\n       compliance with the requirements set forth in OMB Memorandum M-03-22, Section III \xe2\x80\x93 Privacy\n       Policies on Agency Websites, and DOT Privacy Policies.\n   \xe2\x80\xa2   Whether the website was in compliance with the use of tracking mechanisms.\n   \xe2\x80\xa2   Whether DOT has implemented machine readability technology on its public website, such as\n       Privacy Preferences Project Protocol (P3P).\n\n5. Review of DOT\xe2\x80\x99s Privacy Awareness and Training\n\nCLA performed procedures to determine whether the agency has established privacy training\nrequirements in accordance with Federal and Agency guidance. In addition, CLA determined whether\nDOT has implemented a training program regarding role based training for individuals responsible for\nPII. CLA documented whether specific user roles have been identified by DOT that require role-based\ntraining.\n\n\n\n\n                                                  24\n\x0cCLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program and Implementation - 2013\n\n\nTo assist in the audit, CLA reviewed prior year reports to identify potential risk areas. The prior year\nreports include: Review of DOT Privacy Policies and Procedures, issued September 9, 2008 and the\nreport FISMA 2012: Ongoing Weaknesses Impede DOT\xe2\x80\x99s Progress Toward Effective Information Security\nissued November 14, 2012. CLA also reviewed the report FISMA 2013: DOT Has Made Progress, But Its\nSystems Remain Vulnerable to Significant Security Threats issued November 22, 2013. Additionally, CLA\nreviewed DOT\xe2\x80\x99s policies, procedures and records and conducted interviews of DOT employees.\n\n\n\n\n                                                  25\n\x0c      CLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program - 2013\n\n\n      Appendix II \xe2\x80\x93 Summary of Key Criteria Tested\n\n         Policy Requirement                                                               Audit Conclusion\n1        Sec 522 of the 2005 Appropriations Act\n1.a      Assuring that the use of technologies sustain, and do not erode, privacy Issue Noted. See Recommendation #6 and 7.\n         protections relating to the use, collection, and disclosure of information in an\n         identifiable form\n1.b      Assuring that technologies used to collect, use, store, and disclose information Issue Noted. See Recommendation #10.\n         in identifiable form allow for continuous auditing of compliance with stated\n         privacy policies and practices governing the collection, use and distribution of\n         information in the operation of the program\n1.c      Assuring that personal information contained in Privacy Act systems of records is No issues noted.\n         handled in full compliance with fair information practices as defined in the\n         Privacy Act of 1974\n1.d      Evaluating legislative and regulatory proposals involving collection, use, and No issues noted.\n         disclosure of personal information by the federal government\n1.e      Conducting a privacy impact assessment of proposed rules of the department on No issues noted.\n         the privacy of information in an identifiable form, including the type of\n         personally identifiable information collected and the number of people affected\n1.f      Preparing a report to Congress on an annual basis on activities of the No issues noted.\n         Department that affect privacy, including complaints of privacy violations,\n         implementations of section 552a of title 5, 11 United States Code, internal\n         controls and other relevant matters\n1.g      Ensuring that the Department protects information in an identifiable form and Issue Noted. See Recommendation #6 and 7.\n         information systems from unauthorized access, use, disclosure, disruption,\n         modification, or destruction\n\n\n\n                                                                           26\n\x0c      CLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program - 2013\n\n\n         Policy Requirement                                                             Audit Conclusion\n1.h      Training and educating employees on privacy and data protection policies to No issues noted.\n         promote awareness of and compliance with established privacy and data\n         protection policies\n1.i      Each agency shall prepare a written report of its use of information in an No issues noted.\n         identifiable form, along with its privacy and data protection policies and\n         procedures and record it with the Inspector General of the agency to serve as a\n         benchmark for the agency\n1.j      Each agency shall establish and implement comprehensive privacy and data Issue Noted. See Recommendation #1.\n         protection procedures governing the agency\xe2\x80\x99s collection, use, sharing,\n         disclosure, transfer, storage and security of information in an identifiable form\n         relating to the agency employees and the public. Such procedures shall be\n         consistent with legal and regulatory guidance, including OMB regulations, the\n         Privacy Act of 1974, and section 208 of the E-Government Act of 2002.\n2        Privacy Act of 1974\n2a       Agencies are to report to OMB a brief summary of changes to the total inventory Issue Noted. See Recommendation #4 and 5.\n         of personal data systems subject to the provisions or the Act including reasons\n         for major changes\n2.b      Publication of SORNs                                                           Issue Noted. See Recommendation # 2 and 3.\n2.c      Identify each system of records which the agency maintains                     No issues noted.\n2.d      Establish reasonable administrative, technical and physical safeguards to assure Issue Noted. See Recommendation #6 and 7.\n         that records are disclosed only to those who are authorized to have access\n\n\n\n\n                                                                         27\n\x0c      CLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program - 2013\n\n\n         Policy Requirement                                                           Audit Conclusion\n3        E-Government Act of 2002\n3.a      Agencies are to (1) conduct Privacy Impact Assessments (PIA) of information Issue Noted. See Recommendation # 2 and 3.\n         technology and collections and, in general, make PIAs publicly available; (2) post\n         privacy policies on agency Web sites used by the public; and (3) translate privacy\n         policies into a machine-readable format.\n4        OMB M-07-16\n4.a      Review and Reduce the volume of PII                                          No issues noted.\n4.b      Reduce the Use of Social Security Numbers                                    Issue Noted. See Recommendation # 2 and 3.\n4.c      Encrypt all data on mobile computers/devices carrying agency data unless the Issue Noted. See Recommendation #6 and 7.\n         data is determined not to be sensitive, in writing, by your Deputy Secretary or a\n         senior-level individual he/she may designate in writing.\n4.d      Allow remote access only with two factor authentication where one of the Issue Noted. See Recommendation #6 and 7.\n         factors is provided by a device separate from the computer gaining access\n4.e      Use a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access and mobile devices requiring user Issue Noted. See Recommendation #6 and 7.\n         re-authentication after thirty minutes of inactivity\n4.f      Log all computer-readable data extracts from databases holding sensitive No issues noted.\n         information and verify each extract, including whether sensitive data has been\n         erased within 90 days or its use is still required\n4.g      Implement procedures for detecting, reporting and responding to security No issues noted.\n         incidents\n4.h      Rules and consequences policy                                                No issues noted.\n\n\n\n\n                                                                       28\n\x0c    CLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program - 2013\n\n\n       Policy Requirement                                                              Audit Conclusion\n5      OMB M-03-22\n5.a    Conduct PIAs for electronic information systems and collections and, in general, Issue Noted. See Recommendation # 2 and 3.\n       make them publicly available\n5.b    Post privacy policies on agency websites used by the public                     Issue Noted. See Recommendation #8.\n5.c    Translate privacy policies into a standard machine-readable format              No Issues noted.\n5.d    Report annually to OMB on compliance with section 208 of the E-Government No issues noted.\n       Act\n6      OMB M-05-08\n6.a    Agencies are required to maintain appropriate documentation regarding their Issue Noted. See Recommendations #9 and 10.\n       compliance with information privacy laws, regulations, and policies. And,\n       agencies have the authority to conduct periodic reviews (e.g., as part of their\n       annual FISMA reviews) to promptly identify deficiencies, weaknesses, or risks.\n       When compliance issues are identified, agencies are obligated to take\n       appropriate steps to remedy them.\n6.b    Each executive Department and agency (\xe2\x80\x9cagency\xe2\x80\x9d) is to identify to OMB the No issues noted.\n       senior official who has the overall agency-wide responsibility for information\n       privacy issues. Consistent with the Paperwork Reduction Act, the agency\xe2\x80\x99s Chief\n       Information Officer (CIO) may perform this role.\n7      OMB M-06-19\n7.a    Report security incidents to a Federal incident response center (US-CERT) within No issues noted.\n       one hour of discovering the incident.\n8      OMB M-10-22\n8.a    Federal agency use of web measurement and customization technologies            No issues noted.\n\n\n\n                                                                            29\n\x0c     CLA\xe2\x80\x99s Independent Audit of DOT\xe2\x80\x99s Privacy Program - 2013\n\n\n        Policy Requirement                                                             Audit Conclusion\n9       OMB M-00-13\n9.a     Ensure full adherence with stated privacy policies                             Issue Noted. See Recommendation #8.\n10      OMB M-99-18\n10.a    Posting of privacy policies on major entry points to agency\xe2\x80\x99s websites as well as Issue Noted. See Recommendation #8.\n        at any web page where substantial personal information from the public is\n        collected\n11      NIST SP 800-122\n11.a    Awareness, Training, and Education                                             No issues noted.\n11.b Security Controls                                                                 Issue Noted. See Recommendation #6 and 7.\n\n\n\n\n                                                                        30\n\x0c'